auditd fails to add rules when used in precise with -lts-quantal kernel

Bug #1158500 reported by Matthew Ashton
46
This bug affects 7 people
Affects Status Importance Assigned to Milestone
audit (Ubuntu)
High
Tyler Hicks
Precise
Undecided
Tyler Hicks
linux (Ubuntu)
High
Unassigned
Precise
Undecided
Unassigned

Bug Description

auditctl fails to add rules when run with the -lts-quantal kernel

Eample:
# auditctl -l
No rules
# auditctl -a entry,always -F arch=b64 -S execve -k exec
Error sending add rule data request (Invalid argument)
#

Looks like the syscall table needs updating, it works with the 3.2.0 kernel.

Tagging this as a security vulnerability because it fails fairly quietly and may lead to high security systems not having required auditing (like PCI compliant systems), I only noticed by looking in /var/log/boot.log.

Description: Ubuntu 12.04.2 LTS
Release: 12.04

ii auditd 1.7.18-1ubuntu1 User space tools for security auditing
ii linux-image-generic-lts-quantal 3.5.0.26.33 Generic Linux kernel image

information type: Private Security → Public
Revision history for this message
Sam Sharpe (sam-sharpe) wrote :

As far as I can see, the update of Precise to 12.04.3 which installs the lts-raring kernel by default breaks auditd. I can no-longer specify any audit rules that reference syscalls.

That makes the inclusion of the audit packages in Precise pretty pointless...

tags: added: kernel-da-key
Changed in linux (Ubuntu):
importance: Undecided → High
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

Can you see if this bug also affects the Saucy backport kernel, which will be used in 12.04.4? The .deb is available from:

http://launchpadlibrarian.net/158291468/linux-generic-lts-saucy_3.11.0.15.14_amd64.deb

tags: added: precise raring
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1158500

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Matthew Ashton (matthew.ashton) wrote :

Still present with 3.11.0.15.14.
(leaving out the apport-collect, sorry)

# dpkg -l linux-image-generic-lts-saucy
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-=================================-=================================-==================================================================================
ii linux-image-generic-lts-saucy 3.11.0.15.14 Generic Linux kernel image
# uname -a
Linux alum 3.11.0-15-generic #23~precise1-Ubuntu SMP Tue Dec 10 16:39:48 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
# auditctl -l
No rules
# auditctl -a entry,always -F arch=b64 -S execve -k exec
Error sending add rule data request (Invalid argument)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in audit (Ubuntu):
status: New → Confirmed
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I built Saucy's audit package for Precise and ran it under the -lts-saucy kernel. When running the auditctl command in the bug description, it emitted the following warning:

  Warning - entry rules deprecated, changing to exit rule

Starting with kernel version 3.3, the audit kernel code refuses entry,always rules. Starting with audit version 2.0, auditctl converts entry,always rules to exit,always rules.

The fix seems to be to backport upstream audit commits 300, 301, and 307 to Precise's audit package to make auditctl convert entry,always rules to exit,always.

Changed in audit (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → Medium
status: Confirmed → Triaged
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Marking the kernel task as invalid, since this is an auditctl bug.

Changed in linux (Ubuntu):
status: Incomplete → Invalid
Changed in audit (Ubuntu):
importance: Medium → High
Tyler Hicks (tyhicks)
Changed in audit (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Roman Fiedler (roman-fiedler-deactivatedaccount) wrote :

Just noticed, that [1] is most likely a duplicate of this.

[1] https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1317188

Revision history for this message
samlt (samuel-lethiec) wrote :

hello,

Any news on this? It's when you really need it that you realize auditd no longer works for some time already.

More than annoying I find this bug quite critical given it renders auditd almost useless.

I'm no developper, but is the change difficult to backport? What are we missing? time/man power?

Help greatly appreciated,

Thanks.

Revision history for this message
gouz@root-me.org (gouz) wrote :

We really need to have auditd working !

"More than annoying I find this bug quite critical given it renders auditd almost useless." => so true, it's quite amazing for a LTS/stable branch...

Please do something :-)

Revision history for this message
Martin Cozzi (maraca77) wrote :

We are being impacted too.
Running ubuntu 12.04 with auditd 1.7.18-1ubuntu1

Revision history for this message
gouz@root-me.org (gouz) wrote :

any news ?

Revision history for this message
Farhanible (farhanible) wrote :

Am I missing something or the current workaround is to use exit,always rules?

Changed in linux (Ubuntu Precise):
status: New → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in audit (Ubuntu Precise):
status: New → Confirmed
Changed in audit (Ubuntu Precise):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in audit (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in audit (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers